In the named.conf.options.erb template, the working_dir variable is not expanding. So, this line:

file "<%= @working_dir %>/named_querylog"

ends up looking like this in /etc/named/named.conf.options:

file "/named_querylog"

Interestingly, using @data_dir performs the substitution just fine, and of course, explicitly setting the path works too.

The master branch is 18 commits ahead of the last release, and includes some useful bug fixes. Any chance we can get another release soon?

Hi (and sorry for my english).
I found a way to update zone serial only when necessary...

The basic idea is to separate SOA record and other dns-records (i call it zone data) on 2 files. And update SOA ( zone-serial ) only by notify of changing zone data.
To separate files we can use $INCLUDE directive in zone file.
To illustrate this idea, I wrote a simple module from 3 files (2 manifests and 1 template):

manifests/init.pp

class dns-test {
  include concat::setup

  $ttl = 3600
  $zone_name = "example.com"
  $zone_file_soa = "/tmp/db.${zone_name}"
  $zone_file_data = "${zone_file_soa}.data"

  concat { $zone_file_data:
    notify => Exec["${zone_name}-soa"],
  }
  $zone_soa = template("${module_name}/soa.erb")
  exec { "${zone_name}-soa":
    path => [ "/bin", "/sbin", "/usr/bin", "/usr/sbin" ],
    command => "echo \'$zone_soa\' > ${zone_file_soa}",
    refreshonly => true,
 }
}

manifests/record.pp

define dns-test::record {
  include concat::setup

  $zone_file_data = $dns-test::zone_file_data

  concat::fragment { "resource-${name}":
    target  => $zone_file_data,
    content => "${name}\n",
    order   => 05,
  }
}

templates/soa.erb

$ORIGIN <%= @zone_name %>.
$TTL <%= @ttl %>       ; TTL
@                              IN SOA  ns1.<%= @zone_name %>. root.<%= @zone_name %>. (
                                <%= Time.now.to_i %> ;serial
                                3h      ; refresh (3 hours)
                                1h      ; retry (1 hour)
                                1w      ; expire (1 week)
                                1d      ; minimum (1 day)
                                )
$INCLUDE <%= @zone_file_data %> ; !!! Magic string :)

Usage:

node test {
  include dns-test
  dns-test::record {
    "site1   A    1.1.1.1": ;
    "site2   A    1.1.1.2": ;
    "site3   A    1.1.1.3": ;
  }
}

As a result, we have two file:

/tmp/db.example.com

$ORIGIN example.com.
$TTL 3600       ; TTL
@                              IN SOA  ns1.example.com. root.example.com. (
                                1374956576 ;serial
                                3h      ; refresh (3 hours)
                                1h      ; retry (1 hour)
                                1w      ; expire (1 week)
                                1d      ; minimum (1 day)
                                )
$INCLUDE /tmp/db.example.com.data ; !!! Magic string :)

and /tmp/db.example.com.data

site1   A   1.1.1.1
site2   A   1.1.1.2
site3   A   1.1.1.3

In this example, we have a problem:

On update only SOA parameters (in my sample it only TTL) SOA-file will not be updated.
As a workaround we put in the header of the data file all possible SOA-variables as comment.
For this, we need another template:

templates/data-header.erb

; need only for Puppet
; ttl: <%= @ttl %>, (place here all the SOA-variables that you need)
;

And include this in init.pp:

Updated manifests/init.pp

class dns-test {
  include concat::setup

  $ttl = 3600
  $zone_name = "example.com"
  $zone_file_soa = "/tmp/db.${zone_name}"
  $zone_file_data = "${zone_file_soa}.data"

  concat { $zone_file_data:
    notify => Exec["${zone_name}-soa"],
  }

  ### Added lines
  concat::fragment{"${zone_name}-data-header":
      target  => $zone_file_data,
      order   => 1,
      content => template("${module_name}/data-header.erb")
  }
  ###

  }
  $zone_soa = template("${module_name}/soa.erb")
  exec { "${zone_name}-soa":
    path => [ "/bin", "/sbin", "/usr/bin", "/usr/sbin" ],
    command => "echo \'$zone_soa\' > ${zone_file_soa}",
    refreshonly => true,
 }
}

updated version of /tmp/db.example.com.data

; need only for Puppet
; ttl: 3600, (place here all the SOA-variables that you need)
;
site1   A   1.1.1.1
site2   A   1.1.1.2
site3   A   1.1.1.3

I think it is a simple and elegant way to solve the problem this zone-serial update.

P.S. I tested, it really works!

The puppet concat module is at version 2.0. This module is set to use only versions less than v2. This means that this module can not be installed with systems that are using the current concat module, which means it is incompatible with up to date modules.

I attempted to resolve this with pull request #116, but for some reason that pull request was closed without comment.

So, several questions:

• Is it considered poor form to poach from another project? inkblot does logging well
• Maybe we could copout and just allow for arbitrary additional file includes?

We're getting timeouts when trying to do puppet runs with large number of zones (5000+) and records (5000+)...is anyone using this module with a large amount of records successfully?

There is no way to set forwarders But this configuration is very important.

@ajjahn I've made the metadata.json and bumped to 1.1.0. Can you bump what is on the forge?

I'm not sure if it's possible with the current architecture of the module, but have there been any discussions around being able to use a non-standard cfg_dir for the named configuration files?

In my home servers, I run named in a chroot environment, which means it actually picks up its configuration files from /var/named/chroot/etc, not from plain /etc. However, at the current time, I don't see any way to get this module to place the named config files anywhere other than the OS-specific default.

Pull Request #112 breaks all sorts of things in the "named.conf" file.

• The "rndc_key_file" isn't set to the proper default ("/etc/bind/rndc.key") so it prevents bind from starting up.

named[2239]: loading configuration from '/etc/bind/named.conf'
named[2239]: /etc/bind/named.conf:16: open: /etc/bind/ns-example-com_rndc-key: file not found
named[2239]: loading configuration: file not found
named[2239]: exiting (due to fatal error)

• The zone "." is already defined in the rfc1912 zones file, so this causes it to be defined twice which again prevents bind from starting up.

named[2297]: loading configuration from '/etc/bind/named.conf'
named[2297]: /etc/bind/named.conf:6: open: /etc/bind/ns-example-com_rndc-key: file not found
named[2297]: loading configuration: file not found
amed[2297]: exiting (due to fatal error)

I want to integrate the possibility of views in this module. However, it seems to be a bit difficult after several attempts, since the configuration has to be adapted in several places.

I'm able to create a view with the following code:
Pastebin

but I get, of course, an error message:

/etc/named.rfc1912.zones:13: when using 'view' statements, all zones must be in views

The cause of the error is in the "named.conf.erb" file that makes an include:

include "/etc/named.rfc1912.zones";

When a view is used in this module, this include should be included by an view, like as follow:

view "global" { match-clients { any; } include "/etc/named.rfc1912.zones"; };

Is there another way or what solution would you propose?

Andy

DNS Module Version 2.0.2
I get this error with both 3.8 and 4.x puppet versions. by simply adding include dns::server to the node def.

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: {"message":"Server Error: Evaluation Error: Error while evaluating a Function Call, validate_re(): input needs to be a String, not a NilClass at /etc/puppetlabs/code/environments/production/modules/dns/manifests/server/default.pp:29:3 on node mother.openstack.tld","issue_kind":"RUNTIME_ERROR"}
/usr/share/ruby/vendor_ruby/puppet/indirector/rest.rb:207:in is_http_200?' /usr/share/ruby/vendor_ruby/puppet/indirector/rest.rb:100:in find'
/usr/share/ruby/vendor_ruby/puppet/indirector/indirection.rb:201:in find' /usr/share/ruby/vendor_ruby/puppet/configurer.rb:294:in block in retrieve_new_catalog'
/usr/share/ruby/vendor_ruby/puppet/util.rb:335:in block in thinmark' /usr/share/ruby/benchmark.rb:296:in realtime'
/usr/share/ruby/vendor_ruby/puppet/util.rb:334:in thinmark' /usr/share/ruby/vendor_ruby/puppet/configurer.rb:293:in retrieve_new_catalog'
/usr/share/ruby/vendor_ruby/puppet/configurer.rb:61:in retrieve_catalog' /usr/share/ruby/vendor_ruby/puppet/configurer.rb:106:in prepare_and_retrieve_catalog'
/usr/share/ruby/vendor_ruby/puppet/configurer.rb:202:in run_internal' /usr/share/ruby/vendor_ruby/puppet/configurer.rb:134:in block in run'
/usr/share/ruby/vendor_ruby/puppet/context.rb:64:in override' /usr/share/ruby/vendor_ruby/puppet.rb:246:in override'
/usr/share/ruby/vendor_ruby/puppet/configurer.rb:133:in run' /usr/share/ruby/vendor_ruby/puppet/agent.rb:47:in block (4 levels) in run'
/usr/share/ruby/vendor_ruby/puppet/agent/locker.rb:20:in lock' /usr/share/ruby/vendor_ruby/puppet/agent.rb:47:in block (3 levels) in run'
/usr/share/ruby/vendor_ruby/puppet/agent.rb:117:in with_client' /usr/share/ruby/vendor_ruby/puppet/agent.rb:44:in block (2 levels) in run'
/usr/share/ruby/vendor_ruby/puppet/agent.rb:82:in run_in_fork' /usr/share/ruby/vendor_ruby/puppet/agent.rb:43:in block in run'
/usr/share/ruby/vendor_ruby/puppet/application.rb:179:in call' /usr/share/ruby/vendor_ruby/puppet/application.rb:179:in controlled_run'
/usr/share/ruby/vendor_ruby/puppet/agent.rb:41:in run' /usr/share/ruby/vendor_ruby/puppet/application/agent.rb:361:in onetime'
/usr/share/ruby/vendor_ruby/puppet/application/agent.rb:327:in run_command' /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in block (2 levels) in run'
/usr/share/ruby/vendor_ruby/puppet/application.rb:507:in plugin_hook' /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in block in run'
/usr/share/ruby/vendor_ruby/puppet/util.rb:496:in exit_on_fail' /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in run'
/usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:146:in run' /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:92:in execute'
/usr/bin/puppet:8:in `

Due to the zone's serial being set to Time.now.to_i, puppet has to recompile the zone file even if the records haven't changed.

A couple solutions:

1. One solution would be to set the serial manually in the manifest
2. Check each concat fragment for differences, only timestamp the zone's serial if there have been changes.

I have setup views on my bind box. My views break if I do not comment out the last two line in named.conf...

include "/etc/bind/named.conf.options";
//include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";

I have my views setup as follows...

//
// Lan zone recursion is the default
//
view "internal-view" {
match-clients { trusted-subnets; };
recursion yes;
include "/etc/bind/named.conf.default-zones";
zone "example.com" {
type master;
file "/etc/bind/db.internal.example.com";
};
zone "1.0.10.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.1.0.10.IN-ADDR.ARPA";
};
zone "2.0.10.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.2.0.10.IN-ADDR.ARPA";
};
zone "3.0.10.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.3.0.10.IN-ADDR.ARPA";
};
};
//
// external zone w/o recursion
//
view "external-view" {
match-clients { any; };
recursion no;
allow-transfer { slaves; };
include "/etc/bind/named.conf.local";
};

What do you suggest is the best way to deal with this? Allowing for the ability to pass is a source attribute into your file resource for /etc/bind/named.conf in config.pp? Managed the resulting named.conf via augeas?

Thanks in advance.

Cheers.

Hi,

Is there any way to add a particular record to multiple zones, or even all zones?

Thanks,

Alex

May 4 01:29:31 hawk puppet-agent[3778]: (/Stage[main]/Dns::Server::Service/Service[bind9]) Starting domain name service...: bind9 failed!
May 4 01:29:31 hawk puppet-agent[3778]: (/Stage[main]/Dns::Server::Service/Service[bind9]) Wrapped exception:
May 4 01:29:31 hawk puppet-agent[3778]: (/Stage[main]/Dns::Server::Service/Service[bind9]) Execution of '/etc/init.d/bind9 restart' returned 1: Stopping domain name service...: bind9 waiting for pid 2831 to die.
May 4 01:29:31 hawk puppet-agent[3778]: (/Stage[main]/Dns::Server::Service/Service[bind9]) Starting domain name service...: bind9 failed!
May 4 01:29:32 hawk puppet-agent[3778]: Finished catalog run in 7.24 seconds
May 4 01:29:46 hawk named[4182]: starting BIND 9.7.3 -u bind
May 4 01:29:46 hawk named[4182]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='
May 4 01:29:46 hawk named[4182]: adjusted limit on open files from 1024 to 1048576
May 4 01:29:46 hawk named[4182]: found 4 CPUs, using 4 worker threads
May 4 01:29:46 hawk named[4182]: using up to 4096 sockets
May 4 01:29:46 hawk named[4182]: loading configuration from '/etc/bind/named.conf'
May 4 01:29:46 hawk named[4182]: /etc/bind/named.conf.options:26: boolean expected near 'auto'

DNS TXT records have specific formatting requirements.

1. per RFC1035 section 3.3.14, they are composed of one or more character strings.
2. per RFC1035 section 3.3, each character string can be up to 255 characters (section 3.3 indicates 256 octets, but includes the length octet as part of that count).
3. per common usage, if a TXT record consists of multiple character strings, the application processing that record concatenates the character strings together with no intervening characters.
4. per RFC1035 section 5, if a character string includes spaces, it must be enclosed in double-quotes ("). Within the double-quotes, any character can occur except another double-quote; double-quotes must be escaped by backslashes (\) (and by implication, backslashes must also be escaped by backslashes).

Based on these requirements, the dns::record::txt record type should:

1. split the $data value up into 255 (at most) character chunks.
2. escape all double-quotes and backslashes within each chunk by inserting a backslash before the escaped character.
3. surround each chunk with double-quotes.
4. separate the chunks by a space.

For example:

dns::record::txt { 'txt1.example.com':
    host => "txt1' ,
    zone => 'example.com' ,
    data => 'test "number one"' ,
}

should result in the following dns::record resource:

dns::record { 'txt1.example.com,TXT,example.com':
    zone   => 'example.com' ,
    host   => 'txt1' ,
    ttl    => '' ,
    record => 'TXT' ,
    data   => '"test \"number one\""'
}

And a text record with a very long data value ('this is a very (x60) long test') should result in something like...

dns::record { 'txt2.example.com,TXT,example.com':
    zone   => 'example.com' ,
    host   => 'txt2' ,
    ttl    => '' ,
    record => 'TXT' ,
    data   => '"this is a very very very…very " "very very very very very very very very very very very long test"'
}

I will submit a PR for this shortly.

It appears that the dns::server class has the data_dir hard coded to /etc/bind/zones. However, this is not the correct directory for dynamic zone files. The correct path on Ubuntu should be /var/lib/bind or /var/lib/bind/zones. It would be nice if this was configurable, or at least changed to the correct location.

In pupetlabs-stdlib version 4.10.0, the validate_re function was "improved" to include not allowing its use on any value other than a string. This breaks existing code that relied on undef being treated the same as an empty string in the previous version.

I will submit a PR to fix the failing validate_re instances.

It is not possible to set this parameter via the dns::zone class.

http://www.zytrax.com/books/dns/ch7/xfer.html#allow-update-forwarding

Being able to set arbitrary parameters would also be a potentially nice improvement

Hey guys i have an odd error i'm not sure if i have misconfigured something or not.

[root@dns ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for dns.setkeh.local
Info: Applying configuration version '1428175723'
Notice: /Stage[main]/Dns::Server::Install/Package[bind-utils]/ensure: created
Notice: /Stage[main]/Dns::Server::Config/File[/etc/named]/owner: owner changed 'root' to 'named'
Notice: /Stage[main]/Dns::Server::Config/File[/etc/named]/mode: mode changed '0750' to '0755'
Notice: /Stage[main]/Dns::Server::Config/File[/etc/named/bind.keys.d/]/ensure: created
Notice: /Stage[main]/Dns::Server::Config/File[/etc/named.conf]/owner: owner changed 'root' to 'named'
Notice: /Stage[main]/Dns::Server::Config/File[/etc/named.conf]/mode: mode changed '0640' to '0644'
Info: /Stage[main]/Dns::Server::Config/File[/etc/named.conf]: Scheduling refresh of Class[Dns::Server::Service]
Info: /Stage[main]/Dns::Server::Config/File[/etc/named.conf]: Scheduling refresh of Class[Dns::Server::Service]
Error: Could not set 'present' on ensure: No such file or directory - /etc/bind/named.conf.options20150404-12319-h6cff6.lock at 87:/etc/puppet/modules/dns/manifests/server/options.pp
Error: Could not set 'present' on ensure: No such file or directory - /etc/bind/named.conf.options20150404-12319-h6cff6.lock at 87:/etc/puppet/modules/dns/manifests/server/options.pp
Wrapped exception:
No such file or directory - /etc/bind/named.conf.options20150404-12319-h6cff6.lock
Error: /Stage[main]/Main/Node[dns.setkeh.local]/Dns::Server::Options[/etc/bind/named.conf.options]/File[/etc/bind/named.conf.options]/ensure: change from absent to present failed: Could not set 'present' on ensure: No such file or directory - /etc/bind/named.conf.options20150404-12319-h6cff6.lock at 87:/etc/puppet/modules/dns/manifests/server/options.pp
Notice: /Stage[main]/Dns::Server::Config/Concat[/etc/named/named.conf.local]/File[/etc/named/named.conf.local]/ensure: defined content as '{md5}3a37399747950532b8d18b1e11188fcc'
Info: Concat[/etc/named/named.conf.local]: Scheduling refresh of Class[Dns::Server::Service]
Info: Class[Dns::Server::Service]: Scheduling refresh of Service[named]
Notice: /Stage[main]/Dns::Server::Service/Service[named]: Dependency         File[/etc/bind/named.conf.options] has failures: true
Warning: /Stage[main]/Dns::Server::Service/Service[named]: Skipping because of failed           dependencies
Notice: /Stage[main]/Dns::Server::Service/Service[named]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 4.56 seconds

my site.pp has

node 'dns.setkeh.local' {
  #puppet code

  include dns::server

  # Forwarders
  dns::server::options { '/etc/bind/named.conf.options':
    forwarders => [ '8.8.8.8', '8.8.4.4' ]
  }

  # Forward Zone
  dns::zone { 'setkeh.local':
    soa         => 'ns1.setkeh.local',
    soa_email   => '[email protected]',
    nameservers => ['ns1']
  }

  # Reverse Zone
  dns::zone { '1.168.192.IN-ADDR.ARPA':
    soa         => 'ns1.setkeh.local',
    soa_email   => '[email protected]',
    nameservers => ['ns1']
  }

  # A Records:
  dns::record::a {
    'dns':
      zone => 'setkeh.local',
      data => ['192.168.1.254'],
      ptr  => true;
    'test':
      zone => 'setkeh.local',
      data => ['192.168.1.12'],
      ptr  => true;
  }
}

Any suggestions on how to fix this ??
Thanks :)

@solarkennedy @danzilio Do you guys want to make a push toward 2.0? Maybe start buy making one more pass at issues/pull requests, then stabilize?

I really want to implement views, but after hacking at it for awhile, I'm not entirely sure how to implement this. The problem is that zones need to be nested inside the view in which they belong. There's a one-to-many relationship between views and zones, and the puppet language doesn't give us a good way implement this relationship. I've just started toying with the idea of implementing this by creating a namespace for the concat priority. An example would be the view having a concat priority of 1000, but using an inline template to make the concat priority of the zones inside that view be 1001. I'm really not sure what this would look like...I'm going to have to flesh it out some more. Any ideas?

Suggested in #176.

puppet runs destroy the zone file.. any plans to deal with this at all?

I am working on getting that going. as soon as I have a working commit I will put in a pull req

This module wants to install dnssec-tools, which can be found in the "epel" repository for CentOS.

Here is the error I see after a puppet agent run:

Error: Could not update: Execution of '/usr/bin/yum -d 0 -e 0 -y list dnssec-tools' returned 1: Error: No matching Packages to list
Wrapped exception:
Execution of '/usr/bin/yum -d 0 -e 0 -y list dnssec-tools' returned 1: Error: No matching Packages to list
Error: /Stage[main]/Dns::Server::Install/Package[dnssec-tools]/ensure: change from absent to latest failed: Could not update: Execution of '/usr/bin/yum -d 0 -e 0 -y list dnssec-tools' returned 1: Error: No matching Packages to list

After installing stahnma-epel puppet finishes it's configuration:

puppet module install stahnma-epel

I think this stahnma-epel (or another epel manifest) should be a dependency of puppet-dns.

I see an error when using this module. My manifest is like this: (I have replaced sensitive information)
/etc/puppet/manifests/site.pp:

node 'hostname.domain.tld' inherits default {
 include dns::server
 include custom::zones
}

/etc/puppet/modules/custom/manifests/zones.pp:

class custom::zones {
  dns::zone { 'example.com':
   soa         => 'ns1.example.com',
   soa_email   => 'admin.example.com',
   nameservers => ['ns1.example.com']
  }
  dns::zone { '1.168.192.IN-ADDR.ARPA':
   soa         => 'ns1.example.com',
   soa_email   => 'admin.example.com',
   nameservers => ['ns1.example.com']
  }
  dns::record::a { 'ns1':
   zone => 'example.com',
   data => ['192.168.1.1'],
   ptr  => true;
  }
}

The error displayed is:

Error: Failed to apply catalog: Could not find dependent Exec[concat_/etc/named/zones/db.example.com.stage] for File[/var/lib/puppet/concat/_etc_named_zones_db.example.com.stage/fragments/9_db.example.com.ns1,A,example.com.record] at /etc/puppet/modules/concat/manifests/fragment.pp:123

My configuration:

puppet module list
/etc/puppet/modules
├── ajjahn-dns (v1.1.0)
├── puppetlabs-apache (v1.2.0)
├── puppetlabs-apt (v1.7.0)
├── puppetlabs-concat (v1.1.2)
├── puppetlabs-firewall (v1.4.0)
├── puppetlabs-inifile (v1.2.0)
├── puppetlabs-ntp (v3.3.0)
├── puppetlabs-postgresql (v4.1.0)
├── puppetlabs-puppetdb (v4.1.0)
├── puppetlabs-stdlib (v4.5.1)
├── saz-ssh (v2.4.0)
├── saz-sudo (v3.0.9)
├── stephenrjohnson-puppet (v1.3.1)
├── torrancew-account (v0.0.5)
└── custom (???)
/usr/share/puppet/modules (no modules installed)

My version of puppet:

puppet --version
3.7.4

At first I thought this was due to the version bump commit, but it looks like even old builds that once passed are now failing.

@solarkennedy Any ideas?

Hello.
Do you plan update a version this module?
I need feature from master "also_notify", but not need bind my librarian to master.

Hy,

I don't get it to use your module to manage DNS for class B network. (No problem with class C)
Imagine, I've got this network in 10.22.0.0/16 with multiple hosts, i.e. 10.22.0.4, 10.22.2.33 and 10.22.177.218

dns::record::a {
    'host177218':
        zone => 'my-domain.com',
        data => ['10.22.177.218']
        ptr => true,
}

dns::zone { 'my-domain.com':
  soa         => 'ns1.my-domain.com',
  soa_email   => 'admin.my-domain.com',
  nameservers => ['ns1']
}

# Reverse Zone
dns::zone { '22.10.IN-ADDR.ARPA':
  soa         => 'ns1.my-domain.com',
  soa_email   => 'admin.my-domain.com',
  nameservers => ['ns1']
}

All easy. When puppet runs, error is raised when concat module tries to assemble reverse zone config:

Invalid relationship: File[/opt/puppetlabs/puppet/cache/concat/_etc_bind_zones_db.0.22.10.IN-ADDR.ARPA.stage/fragments/9_db.0.22.10.IN-ADDR.ARPA.11.0.22.10.IN-ADDR.ARPA,PTR,0.22.10.IN-ADDR.ARPA.record] { notify => Exec[concat_/etc/bind/zones/db.0.22.10.IN-ADDR.ARPA.stage] }, because Exec[concat_/etc/bind/zones/db.0.22.10.IN-ADDR.ARPA.stage] doesn't seem to be in the catalog

(I create the A-record on the DNS-client as puppet exported resource and realize it on DNS server)

When changing reverse zone definition to dns::zone { '0.22.10.IN-ADDR.ARPA': [...] } it is working, but this is not what I want to do.

What is missing here?

Kind regards
ITler

Hi,

Trying to get the module to work and currently getting errors that look like:

Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid relationship: File[/var/opt/lib/pe-puppet/concat/_etc_named_zones_db.lab.<redacted>.com.stage/fragments/9_db.lab.<redacted>.com.ns1,A,lab.<redacted>.com.record] { notify => Exec[concat_/etc/named/zones/db.lab.<redacted>.com.stage] }, because Exec[concat_/etc/named/zones/db.lab.<redacted>.com.stage] doesn't seem to be in the catalog

Any ideas on how I can resolve this to get things going?

It's not possible to override the forwarders for a zone to be empty. This means that authoritative zones will use the default forwarders from the options file even if this is not the desired behavior.

In Debian Jessie, trying to use this module:

`dns::server::options { '/etc/bind/named.conf.options':
forwarders => [ '8.8.8.8', '8.8.4.4' ]
}

Forward Zone

dns::zone { 'example.com':
soa => 'ns.example.com',
soa_email => '[email protected]',
nameservers => ['ns']
}

Reverse Zone

dns::zone { '0.42.10.IN-ADDR.ARPA':
soa => 'ns.example.com',
soa_email => '[email protected]',
nameservers => ['ns']
}

dns::record::cname { 'ns':
zone => 'example.com',
data => 'wagw.example.com',
}`

When provisioning using Vagrant, the following error message is coming:

==> default: Error: Evaluation Error: Error while evaluating a Function Call, validate_re(): input needs to be a String, not a NilClass at /tmp/vagrant-puppet/environments/local/modules/dns/manifests/server/default.pp:29:3

i have configured the module to collect the hostnames of all nodes. This works fine but suddenly the entries started to randomly switch places, causing an (unnecessary) eventful report.

Here is a diff puppet reported:

+3      IN  PTR git.sub.domain.com.
+4      IN  PTR test.sub.domain.com.
 1      IN  PTR foreman.sub.domain.com.
 2      IN  PTR vpngate.sub.domain.com.
-4      IN  PTR test.sub.domain.com.
-3      IN  PTR git.sub.domain.com.

entry 1 and 2 sometimes switch places, when calling puppet agent --test in series.
As i understand the concat module they are sorted by their name name which is defined as "db.${zone}.${name}.record" where name is "${hostname},A,${zone}". Yet still they manage to swap places once in a while.

This module has a dependency on the electrical-file_concat forge module, but so far as I can see, that module is not used anywhere in ajjahn-dns. My recollection is that this dependency was introduced because puppetlabs-concat used that module but did not include the dependency. However, since the 2.0.0 release of puppetlabs-concat, that module no longer uses the file_concat types.

As far as I see, its currently not possible to add a forward only zone, because the "file"-statement is not allow while using type forward

zone "domain.tld" {
    type forward;
    forward only;
    #file [...] (not allowed)
    forwarders {
                123.123.123.123; // dns-server of domain.tld
        };
};

I really far away being a ruby expert, so: Is this a fix?
_zone.erb_

zone "<%= @zone %>" {
  type <%= @zone_type %>;
<% if @zone_notify -%>
  notify <%= @zone_notify %>;
<% end -%>
<% if @zone_type != "forward" %>
  file "<%= @zone_file %>";
<% end -%>
<% if @zone_type == 'slave' -%>
  masters { <%= @slave_masters %>;};
<% elsif @zone_type == 'master' or   @zone_type == 'forward'-%>
<% if @allow_transfer -%>
  allow-transfer {
<% @allow_transfer.each do |ip| -%>
  <%= ip %>;
<% end -%>
  };
<% end -%>

<% if !@allow_forwarder.empty? -%>
  forward <%= @forward_policy %>;
  forwarders {
<% @allow_forwarder.each do |ip| -%>
  <%= ip %>;
<% end -%>
  };
<% end -%>
<% end -%>

};

Looks like the version number was increased to 2.0.1 in commit a20287b and to 2.0.2 in commit d0d1921. However, the last tag and Forge release is still 2.0.0.

It would be great to have tags for Puppetfiles and Forge releases for new users for the above versions.

If you try to use whats below puppet fails with...

Error: Duplicate declaration: Dns::Record::Ptr[40] is already declared

As you can see the entry I am trying to add is for separate subnets.

PTR:

dns::record::ptr {
'40':
zone => '1.0.10.IN-ADDR.ARPA',
data => ["eg1.example.com"];
}

PTR:

dns::record::ptr {
'40':
zone => '2.0.10.IN-ADDR.ARPA',
data => ["eg2.example.com"];
}

Thanks in advance.

Bind is loading the options in /etc/named.conf with no problems. However, it is only listening on localhost:53 (for example) as defined in that file.

The module creates /etc/named/named.conf.local and /etc/named/named.conf.options, but from what I can see this is not included in /etc/named.conf (which does not appear to be touched by the module).

Net result: nothing happens other than Binding as a caching nameserver accessible to localhost.

Hi,

With this config:

dns::zone { 'voice.domain.com': zone_type => 'master', nameservers => [ 'nsc-srva', 'rpi' ], }
dns::record::a {
  'nsc-srva.voice.domain.com': zone => 'voice.domain.com', data => [ $srva_ip_addr ];
  'rpi.voice.domain.com':      zone => 'voice.domain.com', data => [ $rpi_ip_addr  ];
  '.voice.domain.com':         zone => 'voice.domain.com', data => [ $voice_ip_addr ]; 
}

The generated zones looks like this (note the SOA line with double dots). I guess it's a bug, as I haven't set the soa params so it uses default values!

root@rpi:~# cat /etc/bind/zones/db.voice.domain.com
;
; BIND data file for voice.domain.com zone.
; File managed by puppet.
;
$ORIGIN voice.domain.com.
$TTL    604800
@   IN  SOA rpi.nrack01.domain.com.. root.rpi.nrack01.domain.com.. (
[...]

Best regards, Adam.

I think this line should be moved into the parameter section.

Even then though, I have to "double" set $cfg_dir (in my hiera, I'm using auto parameter lookup), at dns::server::cfg_dir level, and in options.

What results is this:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid relationship: File[/tmp/bind/named.conf.options] { require => File[/etc/bind] }, because File[/etc/bind] doesn't seem to be in the catalog

Because here is pulling the default params $cfg_dir, and not one I've set.

Hi,

Running the command:
puppet module install ajjahn/puppet_dns

Installs your module into:
/etc/puppet/modules/puppet_dns

Your module should install to
/etc/puppet/modules/dns

Please add support for these two options.

https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html

FYI, dnssec-tools is no longer in epel for rhel 7

Hi, I found out that the section

statistics-channels {
    ...
}

does not belong inside the options {} section of named.conf.options but outside:

options {
   statistics-channels {
   ...
...

does not work, while

options {
...
}
statistics-channels {
...
}

works fine.

cheers
Mathias

Hi,

I got this error when trying to declare same A entry on different zone.
Maybe the module doesn't support it?

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: Dns::Record::A[server1] is already declared in file /etc/puppet/manifests/site.pp:42; cannot redeclare at /etc/puppet/manifests/site.pp:48 on node client1.zone1.net

Here the manifest:

node client1 {
include dns::server
  dns::key { 'rndc':
  }
  # Forwarders
  dns::server::options{ '/etc/bind/named.conf.options':
    forwarders => [ '8.8.8.8', '8.8.4.4' ]
  }
  # Forward Zone
  dns::zone {
    'zone1.net':
      soa            => 'ns1.zone1.net',
      soa_email      => 'admin.zone1.net',
      nameservers    => ['ns1'],
  }
  dns::zone {
    'zone2.net':
      soa            => 'ns1.zone2.net',
      soa_email      => 'admin.zone2.net',
      nameservers    => ['ns1'],
  }
  # Reverse Zone
  dns::zone { '1.0.10.IN-ADDR.ARPA':
    soa         => 'ns1.zone1.net',
    soa_email   => 'admin.zone1.net',
    nameservers => ['ns1']
  }
  dns::zone { '2.0.10.IN-ADDR.ARPA':
    soa         => 'ns1.zon2.net',
    soa_email   => 'admin.zone2.net',
    nameservers => ['ns1']
  }
    # A Records:
    dns::record::a {
      'server1':
        zone => 'zone1.net',
        data => ['10.0.1.1'],
        ptr  => true;
    }
    dns::record::a {
      'server1':
        zone => 'zone2.net',
        data => ['10.0.2.1'],
        ptr  => true;
    }
}

Seems that the params class for my ubuntu server is looking towards the RedHat case?

Error: Could not set 'present' on ensure: No such file or directory @ dir_s_mkdir - /etc/named/named.conf.options20170430-6632-r7aqg0.lock at /etc/puppetlabs/code/environments/develop/modules/dns/manifests/server/options.pp:198
Error: Could not set 'present' on ensure: No such file or directory @ dir_s_mkdir - /etc/named/named.conf.options20170430-6632-r7aqg0.lock at /etc/puppetlabs/code/environments/develop/modules/dns/manifests/server/options.pp:198
Wrapped exception:
No such file or directory @ dir_s_mkdir - /etc/named/named.conf.options20170430-6632-r7aqg0.lock

Error: /Stage[main]/Profile::Nameserver/Dns::Server::Options[/etc/named/named.conf.options]/File[/etc/named/named.conf.options]/ensure: change from absent to present failed: Could not set 'present' on ensure: No such file or directory @ dir_s_mkdir - /etc/named/named.conf.options20170430-6632-r7aqg0.lock at /etc/puppetlabs/code/environments/develop/modules/dns/manifests/server/options.pp:198
Notice: /Stage[main]/Dns::Server::Service/Service[bind9]: Dependency File[/etc/named/named.conf.options] has failures: true
Warning: /Stage[main]/Dns::Server::Service/Service[bind9]: Skipping because of failed dependencies

server facts:

os => {
architecture => "amd64",
distro => {
codename => "trusty",
description => "Ubuntu 14.04.5 LTS",
id => "Ubuntu",
release => {
full => "14.04",
major => "14.04"
}
},
family => "Debian",
hardware => "x86_64",
name => "Ubuntu",
release => {
full => "14.04",
major => "14.04"
},
selinux => {
enabled => false
}

Lets say you have two domains, example.com and sub.example.com. Your server is the master server for example.com but is attempting to forward sub.example to another server.

  dns::zone { 'example.com':
    soa         => $::fqdn,
    soa_email   => "admin.${::domain}",
    nameservers => [ 'ns01' ],
  }

  dns::zone {'sub.example.com':
    zone_type => 'forward',
    forward_policy => 'only',
    allow_forwarder => '192.168.0.15'
  }

The problem is that Bind will return no results after the first zone unless you also add an NS record to the first zone allowing the second to be delegated.

Here's what it looks like in bind. Please note that this is the "example.com" zone and not the "sub.example.com" one.

; BIND data file for example.com zone.
; File managed by puppet.
;
$ORIGIN example.com
$TTL    604800
@       IN      SOA     ns01.example.com. admin.example.com. (
                1428536592              ; Serial
                604800          ; Refresh
                86400           ; Retry
                2419200         ; Expire
                604800  )       ; Negative Cache TTL
;
@               IN      NS      ns01.

nsl01.sub.example.com IN   A       10.33.0.2
corpvirt        60      IN      NS      nsl01.sub.example.com.
;

The important parts are the last two lines-

nsl01.sub.example.com IN   A       10.33.0.2
corpvirt        60      IN      NS      nsl01.sub.example.com.

These tell bind that it is allowed to delegate those results to another server. Funny enough BIND will never actually respond with those answers, it just needs them to be there. You can read more here.

This should be resolvable by simple adding a new resource type for "NS" records to this module.